Overview

File 46532e3e-CVE-2013-0170.patch of Package libvirt.openSUSE_12.1_Update

commit b5a34d96ff776dd1e6d2689df05cccc217bdf3e2
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Fri Jan 4 16:15:04 2013 +0100

    rpc: Fix crash on error paths of message dispatching
    
    This patch resolves CVE-2013-0170:
    https://bugzilla.redhat.com/show_bug.cgi?id=893450
    
    When reading and dispatching of a message failed the message was freed
    but wasn't removed from the message queue.
    
    After that when the connection was about to be closed the pointer for
    the message was still present in the queue and it was passed to
    virNetMessageFree which tried to call the callback function from an
    uninitialized pointer.
    
    This patch removes the message from the queue before it's freed.
    
    * rpc/virnetserverclient.c: virNetServerClientDispatchRead:
        - avoid use after free of RPC messages
    (cherry picked from commit 46532e3e8ed5f5a736a02f67d6c805492f9ca720)
    
    Conflicts:
    	src/rpc/virnetserverclient.c

Index: libvirt-0.9.6/src/rpc/virnetserverclient.c
===================================================================
--- libvirt-0.9.6.orig/src/rpc/virnetserverclient.c
+++ libvirt-0.9.6/src/rpc/virnetserverclient.c
@@ -767,6 +767,7 @@ readmore:
 
         /* Decode the header so we can use it for routing decisions */
         if (virNetMessageDecodeHeader(msg) < 0) {
+            virNetMessageQueueServe(&client->rx);
             virNetMessageFree(msg);
             client->wantClose = true;
             return;
openSUSE Build Service is sponsored by
Places